Fast access vectors in real-time behavioral profiling in fraudulent financial transactions

ABSTRACT

A computer-implemented method for real-time transaction fraud vetting, including: receiving a transaction record including real-time transaction data and a key identifying a transacting entity; matching the key to a plurality of profiles of the transacting entity, each of the plurality of profiles including a data attribute; accessing a datapoint for each of the plurality of profiles, each datapoint representing a standard for the corresponding data attribute computed from historical transaction records of the transacting entity; assessing whether deviation of the real-time transaction data from each datapoint exceeds a corresponding threshold; incrementing a transaction risk corresponding to the transaction record for each deviation from one of the datapoints that exceeds the corresponding threshold; outputting a fraud score based at least in part on the transaction risk; and updating at least one datapoint based on the corresponding real-time transaction data to generate an updated datapoint set for the plurality of profiles.

RELATED APPLICATIONS

The current application is a continuation patent application whichclaims priority benefit with regard to all common subject matter toidentically-titled U.S. patent application Ser. No. 17/245,116, filed onApr. 30, 2021, which, itself, is a continuation of and claims prioritybenefit with regard to all common subject matter to U.S. patentapplication Ser. No. 16/184,894, filed on Nov. 8, 2018, which, itself,is a continuation of and claims priority benefit with regard to allcommon subject matter to U.S. patent application Ser. No. 14/520,361,filed Oct. 22, 2014, which, itself, is a continuation-in-partapplication of and claims priority benefit with regard to all commonsubject matter to U.S. patent application Ser. No. 14/514,381, filedOct. 15, 2014, and entitled ARTIFICIAL INTELLIGENCE FRAUD MANAGEMENTSOLUTION, which, itself, is a continuation-in-part application of andclaims priority benefit with regard to all common subject matter to U.S.patent application Ser. No. 14/454,749, filed Aug. 8, 2014, entitledHEALTHCARE FRAUD PREEMPTION, and now issued as U.S. Pat. No. 9,779,407.The listed earlier-filed non-provisional applications are herebyincorporated by reference in their entireties into the current patentapplication.

BACKGROUND OF THE INVENTION Field of the Invention

The present invention relates to real-time financial fraud managementsystems, and more particularly to fast access file systems for smartagent profiles that track transaction behaviors.

Background

Financial institutions are ever-increasingly challenged by constantlyevolving forms of fraud that are arriving on more fronts than ever.Criminals are continually dreaming up new ways to stay one step ahead oflaw enforcement. Financial institutions must simultaneously protecttheir customers from fraud, protect themselves from fraud losses, andcomply with increasingly complex and difficult regulations and mandates.

Everyone is facing significantly more pressure in authenticatingconsumers in non-face-to-face channels to protect their brand fromvulnerabilities and financial losses from fraud. Accurate frauddetection processes are getting more important than ever as mobile andonline channels are used more widely by customers. At the same time,fraudsters' techniques are becoming increasingly sophisticated and theyhave begun using sensitive information and access in one channel toperpetrate frauds in the other channels.

Americans have many different types of on-line accessible accounts androutinely access many different payment products. One such account canbe used to move funds to another, and then the second is used to movethe funds away. For example, a bad check can be deposited to a checkingaccount, and that one used to pay down a credit card balance, which isthen run up to the account limits right away.

Few financial institutions are equipped to detect cross-channel fraud,because they simply manage fraud by payment channel, rather than at thecustomer level. That will not stop fraudsters who compromise onechannel, and then complete a bigger fraud on another. Fraud musttherefore be tracked from the perspective of the customer being theindependent variable.

Whenever there is a risky transaction in one customer relationship, thenall the others need to be looked at. Total customer risk involveslooking at all of the products a particular customer has with afinancial institution. (Better yet, with all independent institutions.)Understanding customers' relationships allows the real risk to beunderstood and quickly controlled. A customer who overdrafts and haslarge assets elsewhere presents a different risk than another whooverdrafts and also has a past-due on a line-of-credit. Cross-channelfraud detection becomes possible if data is organized by customer.

Conventional fraud prevention solutions dedicate a standalone system foreach of several different channels in a so-called silo-approach. But thesilo-approach represents a wasteful duplication of resources, productspecialists, operational costs, and investment costs. Silos can limitautomated, cohesive sharing of information across channels, and thus canhinder advisory alerts and automated stop payments.

Attempts at fraudulent transactions come from all channels, and aregenerated by external people and are often mistakenly interpreted as thecustomer themselves. Fraudulent transaction attempts made by companypersonnel can include changing customer information, faking contactinformation, and faking transactions to look as if the customer madethem.

Enterprises need to monitor their operations, to both prevent fraud andprotect their image. Operational mistakes can be monitored to catchgetting higher or lower commissions, fees or making stock purchaseorders for more than one day at open market prices, selling foreigncurrency at a higher rate, etc.

SUMMARY OF THE INVENTION

Briefly, an artificial intelligence fraud management system of thepresent invention comprises a real-time analytics process for analyzingthe behavior of a user from the transaction events they generate over anetwork. An initial population of smart agent profiles is stored in acomputer file system and more smart agent profiles are added as requiredas transaction data is input. Vectors are assigned to point to a run ofprofile data that all share the same atomic time interval. The vectorsare rolled around to point to newer time intervals as they occur,retiring vectors to expired time intervals, and reassigning thosevectors to point to the newer atomic time intervals. Vectors correspondto particular smart agent profiles (P) and are collected into listsstored in profile blocks with a meta-data header. Transactions thatinvolve a particular entity are made quickly accessible and retrievableby such vectors.

The above and still further objects, features, and advantages of thepresent invention will become apparent upon consideration of thefollowing detailed description of specific embodiments thereof,especially when taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a functional block diagram of an artificial intelligence fraudmanagement solution embodiment of the present invention;

FIG. 2A is a functional block diagram of an application developmentsystem (ADS) embodiment of the present invention for fraud-based targetapplications;

FIG. 2B is a functional block diagram of an improved and updatedapplication development system (ADS) embodiment of the present inventionfor fraud-based target applications;

FIG. 3 is a functional block diagram of a model training embodiment ofthe present invention;

FIG. 4 is a functional block diagram of a real-time payment fraudmanagement system like that illustrated in FIG. 1 as applied paymentfraud model;

FIG. 5 is a functional block diagram of a smart agent process embodimentof the present invention;

FIG. 6 is a functional block diagram of a most recent fifteen-minutetransaction velocity counter;

FIG. 7 is a functional block diagram of a cross-channel payment fraudmanagement embodiment of the present invention;

FIG. 8 is a diagram of a group of smart agent profiles stored in acustom binary file;

FIG. 9 is a diagram of the file contents of an exemplary smart agentprofile;

FIG. 10 is a diagram of a virtual addressing scheme used to accesstransactions in atomic time intervals by their profile vectors;

FIG. 11 is a diagram of a piece of an exemplary profile that spansseveral time intervals; and

FIG. 12 is a diagram of a behavioral forecasting aspect of the presentinvention.

DETAILED DESCRIPTION OF THE INVENTION

FIG. 1 represents an artificial intelligence fraud management solutionembodiment of the present invention, and is referred to herein by thegeneral reference numeral 100. Such solution 100 comprises an expertprogrammer development system 102 for building trainable general paymentfraud models 104 that integrate several, but otherwise blank artificialintelligence classifiers, e.g., neural networks, case based reasoning,decision trees, genetic algorithms, fuzzy logic, and rules andconstraints. These are further integrated by the expert programmersinputs 106 and development system 102 to include smart agents andassociated real-time profiling, recursive profiles, and long-termprofiles.

The trainable general payment fraud models 104 are trained withsupervised and unsupervised data 108 and 110 to produce a trainedpayment fraud model 112 reflecting, for example, accountholder andhistorical transaction data. This trained payment fraud model 112 canthen be sold as a computer program library or a software-as-a-serviceapplied payment fraud model. This is applied by a commercial client inan applied payment fraud model 114 to process real-time transactions andauthorization requests 116 for fraud scores. The applied payment fraudmodel 114 is further able to accept a client tuning input 120.

FIG. 2A represents an application development system (ADS) embodiment ofthe present invention for fraud-based target applications, and isreferred to herein by the general reference numeral 200. Such is theequivalent of development system 102 in FIG. 1 . ADS 200 comprises anumber of computer program development libraries and tools that highlyskilled artificial intelligence scientists and artisans can manipulateinto a novel combination of complementary technologies. In an earlyembodiment of ADS 200 we combined a goal-oriented multi-agent technology201 for building run-time smart agents, a constraint-based programmingtool 202, a fuzzy logic tool 203, a library of genetic algorithms 205, asimulation and planning tool 206, a library of business rules andconstraints 207, case-based reasoning and learning tools 208, areal-time interpreted language compiler 209, a C++ code generator 210, alibrary of data compression algorithms 211, and a database connectivitytool 212.

The highly skilled artificial intelligence scientists and artisansprovide graphical and textual inputs 214 and 216 to a user interface(UI) 218 to manipulate the novel combinations of complementarytechnologies into a declarative application 220.

Declarative application 220 is molded, modeled, simulated, tested,corrected, massaged, and unified into a fully functional hybridcombination that is eventually output as a trainable general paymentfraud model 222. Such is the equivalent of trainable general paymentfraud model 104 in FIG. 1 .

It was discovered by the present inventor that the highly skilledartificial intelligence scientists and artisans that could manipulatethe complementary technologies mentioned into specific novelcombinations required exceedingly talented individuals that were inshort supply.

It was, however, possible to build and to prove out that ADS 200 as acompiler would produce trainable general payment fraud models 222, andthese were more commercially attractive and viable.

After many years of experimental use and trials, ADS 200 was constantlyimproved and updated. Database connectivity tool 212, for example, triedto press conventional databases into service during run-time to receiveand supply datapoints in real-time transaction service. It turned out noconventional databases were up to it.

At the present, an updated and improved ADS shown with general referencenumeral 230 in FIG. 2B is providing better and more useful trainablegeneral payment fraud models.

ADS 230 is the most recent equivalent of development system 102 in FIG.1 . ADS 230 assembles together a different mix of computer programdevelopment libraries and tools for the highly skilled artificialintelligence scientists and artisans to manipulate into a new hybrid ofstill complementary technologies.

In this later embodiment, ADS 230, we combined an improved smart—agenttechnology 231 for building run-time smart agents that are essentiallyonly silhouettes of their constituent attributes. These attributes arethemselves smart-agents with second level attributes and values that areable to “call” on real-time profilers, recursive profilers, and longterm profilers. Such profilers can provide comparative assessments ofeach datapoint with the new information flowing in during run-time. Ingeneral, “real-time” profiles include transactions less than ninety daysold. Long-term profiles accumulate transactions over ninety days old. Insome applications, the line of demarcation was forty-five days, due todata storage concerns. Recursive profiles are those that inspect what anentity's peers have done in comparison.

The three profilers can thereafter throw exceptions in each datapointcategory, and the number and quality of exceptions thrown across thebreadth of the attributes then incoming will produce a fraud risk scorethat generally raises exponentially with that number of exceptionsthrown. Oracle explains in C++ programming that exceptions provide a wayto react to exceptional circumstances (like fraud suspected) in programsby transferring control to special functions called “handlers”.

At the top level of a hierarchy of smart agents linked by theirattributes are the smart agents for the independent actors who canengage in fraud. In a payment fraud model, that top level will be thecardholders as tracked by the cardholder account numbers reported intransaction data.

These top level smart agents can call on a moving 15-minute window filethat has all the transactions reported to the system in the last15-minutes. Too much activity in 15-minutes by any one actor is causefor further inspection and analysis.

ADS 230 further comprises a constraint-based programming tool 232, afuzzy logic tool 233, a library of advanced neural network algorithms234, a library of genetic algorithms 235, a simulation and planning tool236, a library of business rules and constraints 237, case-basedreasoning and learning tools 238, a data mining tool 239, a text miningtool 240, a statistical tool 241 and a real-time file system 242.

The real-time file system 242 is a simple organization of attributevalues for smart agent profilers that allow quick, direct file access.

The highly skilled artificial intelligence scientists and artisansprovide graphical and textual inputs 244 and 246 to a user interface(UI) 248 to manipulate the novel combinations of complementarytechnologies into a declarative application 250.

Declarative application 250 is also molded, modeled, simulated, tested,corrected, massaged, and unified into a fully functional hybridcombination that is eventually output as a trainable general paymentfraud model 252. Such is also the more improved equivalent of trainablegeneral payment fraud model 104 in FIG. 1 .

The constraint-based programming tools 202 and 232 limit the number ofpossible solutions. Complex conditions with complex constraints cancreate an exponential number of possibilities. Fixed constraints, fuzzyconstraints, and polynomials are combined in cases where no exactsolution exists. New constraints can be added or deleted at any time.The dynamic nature of the tool makes possible real-time simulations ofcomplex plans, schedules, and diagnostics.

The constraint-based programming tools are written as a very completelanguage in its own right. It can integrate a variety of variables andconstraints, as in the following Table.

 Variables: Real, with integer values, enumerated, sets, matrices andvectors, intervals, fuzzy subsets, and more.  Arithmetic Constraints: =,+, −, *, /, /=, >, <, >=, <=, interval addition, interval subtraction,interval multiplication and interval division, max, min, intersection,union, exponential, modulo, logarithm, and more.  Temporal (Allen)Constraints: Control allows you to write any temporal constraintsincluding Equal, N-equal, Before, After, Meets, Overlaps, Starts,Finishes, and personal temporal operators such as Disjoint, Started-by,Overlapped-by, Met-by, Finished-by, and more.  Boolean Constraints: Or,And, Not, XOR, Implication, Equivalence  Symbolic Constraints:Inclusion, Union, Intersection, Cardinality, Belonging, and more.

The constraint-based programming tools 202 and 232 include a library ofways to arrange subsystems, constraints and variables. Controlstrategies and operators can be defined within or outside usingtraditional languages such as C, C++, FORTRAN, etc. Programmers do nothave to learn a new language, and an easy-to-master programminginterface provides an in-depth library and traditional tools.

Fuzzy logic tools 203 and 233 recognize many of the largest problems inorganizations cannot be solved by simple yes/no or black/white answers.Sometimes the answers need to be rendered in shades of gray. This iswhere fuzzy logic proves useful. Fuzzy logic handles imprecision oruncertainty by attaching various measures of credibility topropositions. Such technology enables clear definitions of problemswhere only imperfect or partial knowledge exists, such as when a goal isapproximate, or between all and nothing. In fraud applications, this canequate to the answer being “maybe” fraud is present, and thecircumstances warrant further investigation.

Tools 204 and 234 provide twelve different neural network algorithms,including Back propagation, Kohonen, Art, Fuzzy ART, RBF and others, inan easy-to-implement C++ library. Neural networks are algorithmicsystems that interpret historical data to identify trends and patternsagainst which to compare subject cases. The libraries of advanced neuralnetwork algorithms can be used to translate databases to neurons withoutuser intervention, and can significantly accelerate the speed ofconvergence over conventional back propagation, and other neural networkalgorithms. The present invention's neural net is incremental andadaptive, allowing the size of the output classes to change dynamically.An expert mode in the advanced application development tool suiteprovides a library of twelve different neural network models for use incustomization.

Neural networks can detect trends and patterns other computer techniquesare unable to. Neurons work collaboratively to solve the definedproblem. Neural networks are adept in areas that resemble humanreasoning, making them well suited to solve problems that involvepattern recognition and forecasting. Thus, neural networks can solveproblems that are too complex to solve with conventional technologies.

Libraries 205 and 235 include genetic algorithms to initialize apopulation of elements where each element represents one possible set ofinitial attributes. Once the models are designed based on theseelements, a blind test performance is used as the evaluation function.The genetic algorithm will be then used to select the attributes thatwill be used in the design of the final models. The componentparticularly helps when multiple outcomes may achieve the samepredefined goal. For instance, if a problem can be solved profitably inany number of ways, genetic algorithms can determine the most profitableway.

Simulation and planning tool 206 can be used during model designs tocheck the performances of the models.

Business rules and constraints 207 provides a central storage of bestpractices and know how that can be applied to current situations. Rulesand constraints can continue to be captured over the course of years,applying them to the resolution of current problems.

Case-based reasoning 208 uses past experiences in solving similarproblems to solve new problems. Each case is a history outlined by itsdescriptors and the steps that lead to a particular outcome. Previouscases and outcomes are stored and organized in a database. When asimilar situation presents itself again later, a number of solutionsthat can be tried, or should be avoided, will present immediately.Solutions to complex problems can avoid delays in calculations andprocessing, and be offered very quickly.

Language interpretation tool 209 provides a constant feedback andevaluation loop. Intermediary Code generator 210 translates DeclarativeApplications 220 designed by any expert into a faster program for atarget host.

During runtime, real time transaction data can be received and processedaccording to declarative application 220 by the target host with theobjective of producing run-time fraud detections. For example, in apayments application card payments transaction requests from merchantscan be analyzed for fraud activity. In healthcare applications thereports and compensation demands of providers can be scanned for fraud.And in insider trader applications individual traders can be scrutinizedfor special knowledge that could have illegally helped them profit fromstock market moves.

File compression algorithms library 211 helps preserve network bandwidthby compressing data at the user's discretion.

FIG. 3 represents a model training embodiment of the present invention,and is referred to herein by the general reference numeral 300. Modeltrainer 300 can be fed a very complete, comprehensive transactionhistory 302 that can include both supervised and unsupervised data. Afilter 304 actually comprises many individual filters that can beselected by a switch 306. Each filter can separate the supervised andunsupervised data from comprehensive transaction history 302 into astream correlated by some factor in each transaction.

The resulting filtered training data will produce a trained model thatwill be highly specific and sensitive to fraud in the filtered category.When two or more of these specialized trained models used in parallelare combined in other embodiments of the present invention they willexcel in real-time cross-channel fraud prevention.

In a payment card fraud embodiment of the present invention, duringmodel training, the filters 304 are selected by switch 306 to filterthrough dozens of different channels, one-at-a-time for each real-time,risk-scoring channel model that will be needed and later run together inparallel. For example, such channels can include channel transactionsand authorization requests for card-not-present, card-present, high riskmerchant category code (MCC), micro-merchant, small and medium sizedenterprise (SME) finance, international, domestic, debit card, creditcard, contactless, or other groupings or financial networks.

The objective here is to detect a first hint of fraud in any channel fora particular accountholder, and to “warn” all the other real-time,risk-scoring channel models that something suspicious is occurring withthis accountholder. In one embodiment, the warning comprises an updatein the nature of feedback to the real-time, long-term, and recursiveprofiles for that accountholder so that all the real-time, risk-scoringchannel models step up together and increment the risk thresholds thataccountholder will be permitted. More hits in more channels shouldtranslate to an immediate alert and shutdown of all the affectedaccountholders accounts.

Competitive prior art products make themselves immediately unattractiveand difficult to use by insisting that training data suit someparticular format. In reality, training data will come from multiple,disparate, dissimilar, incongruent, proprietary data sourcessimultaneously. A data cleanup process 308 is therefore important toinclude here to do coherence analysis, and to harmonize, unify,error-correct, and otherwise standardize the heterogeneous data comingfrom transaction data history 302. The commercial advantage of that is awide range of clients with many different channels can provide theirtransaction data histories 302 in whatever formats and file structuresare natural to the provider. It is expected that embodiments of thepresent invention will find applications in financial services, defenseand cyber security, health and public service, technology, mobilepayments, retail and e-commerce, marketing and social networking, andothers.

A data enrichment process 310 computes interpolations and extrapolationsof the training data, and expands it out to as many as two-hundred andfifty datapoints from the forty or so relevant datapoints originallyprovided by transaction data history 302.

A trainable fraud model 312 (like that illustrated in FIG. 1 astrainable general payment fraud model 104) is trained into a channelspecialized fraud model 314, and each is the equivalent of the appliedfraud model 114 illustrated in FIG. 1 . The selected training resultsfrom the switch 306 setting and the filters 304 then existing.

Channel specialized fraud models 314 can be sold individually or inassorted varieties to clients, and then imported by them as a commercialsoftware app, product, or library.

A variety of selected applied fraud models 316-323 represent the appliedfraud models 114 that result with different settings of filter switch306. Each selected applied fraud model 314 will include a hybrid ofartificial intelligence classification models represented by models330-332 and a smart-agent population build 334 with a corresponding setof real-time, recursive, and long-term profilers 336. The enriched datafrom data enrichment process 310 is fully represented in the smart-agentpopulation build 334 and profilers 336.

FIG. 4 represents a real-time payment fraud management system 400 likethat illustrated in FIG. 1 as applied payment fraud model 114. A rawtransaction separator 402 filters through the forty or so data itemsthat are relevant to the computing of a fraud score. A process 404 addstimestamps to these relevant datapoints and passes them in parallel to aselected applied fraud model 406. This is equivalent to a selected oneof applied fraud models 316-323 in FIG. 3 and applied payment fraudmodel 114 in FIG. 1 .

During a session in which the time-stamped relevant transaction dataflows in, a set of classification models 408-410 operate independentlyaccording to their respective natures. A population of smart agents 412and profilers 414 also operate on the time-stamped relevant transactiondata inflows. Each new line of time-stamped relevant transaction datawill trigger an update 416 of the respective profilers 414. Theirattributes 418 are provided to the population of smart agents 412.

The classification models 408-410 and population of smart agents 412 andprofilers 414 all each produce an independent and separate vote or fraudscore 420-423 on the same line of time-stamped relevant transactiondata. A weighted summation processor 424 responds to client tunings 426to output a final fraud score 428.

FIG. 5 represents a smart agent process 500 in an embodiment of thepresent invention. For example, these would include the smart agentpopulation build 334 and profiles 336 in FIG. 3 and smart agents 412 andprofiles 414 in FIG. 4 . A series of payment card transactions arrivingin real-time in an authorization request message is represented here bya random instantaneous incoming real-time transaction record 502.

Such record 502 begins with an account number 504. It includesattributes A1-A9 numbered 505-513 here. These attributes, in the contextof a payment card fraud application would include datapoints for cardtype, transaction type, merchant name, merchant category code (MCC),transaction amount, time of transaction, time of processing, etc.

Account number 504 in record 502 will issue a trigger 516 to acorresponding smart agent 520 to present itself for action. Smart agent520 is simply a constitution of its attributes, again A1-A9 and numbered521-529 in FIG. 5 . These attributes A1-A9 521-529 are merely pointersto attribute smart agents. Two of these, one for A1 and one for A2, arerepresented in FIG. 5 .

Here, an A1 smart agent 530 and an A2 smart agent 540. These arerespectively called into action by triggers 532 and 542.

A1 smart agent 530 and A2 smart agent 540 will respectively fetchcorrespondent attributes 505 and 506 from incoming real-time transactionrecord 502. Smart agents for A3-A9 make similar fetches to themselves inparallel. They are not shown here to reduce the clutter for FIG. 5 thatwould otherwise result.

Each attribute smart agent like 530 and 540 will include or access acorresponding profile datapoint 536 and 546. This is actually asimplification of the three kinds of profiles 336 (FIG. 3 ) that wereoriginally built during training and updated in update 416 (FIG. 4 ).These profiles are used to track what is “normal” behavior for theparticular account number for the particular single attribute.

For example, if one of the attributes reports the MCC's of the merchantsand another reports the transaction amounts, then if the long-term,recursive, and real time profiles for a particular account number xshows a pattern of purchases at the local Horne Depot and Costco thataverage $100-$300, then an instantaneous incoming real-time transactionrecord 502 that reports another $200 purchase at the local Costco willraise no alarms. But a sudden, unique, inexplicable purchase for $1250at a New York Jeweler will and should throw more than one exception.

Each attribute smart agent like 530 and 540 will further include acomparator 537 and 547 that will be able to compare the correspondingattribute in the instantaneous incoming real-time transaction record 502for account number x with the same attributes held by the profiles forthe same account. Comparators 537 and 547 should accept some slack, butnot too much. Each can throw an exception 538 and 548, as can thecomparators in all the other attribute smart agents. It may be usefulfor the exceptions to be a fuzzy value, e.g., an analog signal 0.0 to1.0. Or it could be a simple binary one or zero. What sort of excursionsshould trigger an exception is preferably adjustable, for example withclient tunings 426 in FIG. 4 .

These exceptions are collected by a smart agent risk algorithm 550. Onedeviation or exception thrown on any one attribute being “abnormal” canbe tolerated if not too egregious. But two or more should be weightedmore than just the simple sum, e.g., (l+1)^(n)=2^(n) instead of simplyl+l=2. The product is output as a smart agent risk assessment 552. Thisoutput is the equivalent of independent and separate vote or fraud score423 in FIG. 4 .

FIG. 6 represents a most recent 15-minute transaction velocity counter600, in an embodiment of the present invention. It receives the samekind of real-time transaction data inputs as were described inconnection with FIG. 4 as raw transaction data 402 and FIG. 5 as records502. A raw transaction record 602 includes a hundred or so datapoints.About forty of those datapoints are relevant to fraud detection and areidentified in FIG. 6 as reported transaction data 604.

The reported transaction data 604 arrive in a time series and randomlyinvolve a variety of active account numbers. But, let's say the mostcurrent reported transaction data 604 with a time age of 0:00 concerns aparticular account number x. That fills a register 606.

Earlier arriving reported transaction data 604 build a transactiontime-series stack 608. FIG. 6 arbitrarily identifies the respective agesof members of transaction time-series stack 608 with example ages 0:73,1:16, 3:11, 6:17, 10:52, 11:05, 13:41, and 14:58. Those aged more than15-minutes are simply identified with ages “>15:00”. This embodiment ofthe present invention is concerned with only the last 15-minutes worthof transactions. As time passes transaction time-series stack 608 pushesdown.

The key concern is whether account number x has been involved in anyother transactions in the last 15-minutes. A search process 610 acceptsa search key from register 606 and reports any matches in the 15-minutewindow with an account activity velocity counter 612. Too much veryrecent activity can hint there is a fraudster at work, or it may benormal behavior. A trigger 614 is issued that can be fed to anadditional attribute smart agent that is included with attributes smartagents 530 and 540 and the others in parallel. Exception from this newaccount activity velocity counter smart agent is input to smart agentrisk algorithm 550 in FIG. 5 .

FIG. 7 represents a cross-channel payment fraud management embodiment ofthe present invention, and is referred to herein by general referencenumeral 700.

Real-time cross-channel monitoring uses track cross channel and crossproduct patterns to cross pollinate information for more accuratedecisions. Such track not only the channel where the fraud ends but alsothe initiating channel to deliver holistic fraud monitoring. Astandalone internet banking fraud solution will allow a transaction ifit is within its limits, however if core banking is in the picture, thenit will stop this transaction, as we additionally know the source offunding of this account (which mostly is missing in internet banking).

In FIG. 3 , a variety of selected applied fraud models 316-323 representthe applied fraud models 114 that result with different settings offilter switch 306. A real-time cross-channel monitoring payment networkserver can be constructed by running several of these selected appliedfraud models 316-323 in parallel.

FIG. 7 represents a real-time cross-channel monitoring payment networkserver 700, in an embodiment of the present invention. Each customer oraccountholder of a financial institution can have several very differentkinds of accounts and use them in very different transactional channels.For example, card-present, domestic, credit card, contactless, and highrisk MCC channels. So in order for a cross-channel fraud detectionsystem to work at its best, all the transaction data from all thechannels is funneled into one pipe for analysis.

Real-time transactions and authorization requests data is input andstripped of irrelevant datapoints by a process 702. The resultingrelevant data is time-stamped in a process 704. The 15-minute vectorprocess of FIG. 6 may be engaged at this point in the background. A bus706 feeds the data in parallel line-by-line, e.g., to a selected appliedfraud channel model for card present 708, domestic 709, credit 710,contactless 711, and high risk MCC 712. Each can pop an exception to thecurrent line input data with an evaluation flag or score 718-722. Theinvolved accountholder is understood.

These exceptions are collected and analyzed by a process 724 that canissue warning feedback for the profiles maintained for eachaccountholder. Each selected applied fraud channel model 708-712 sharesrisk information about particular accountholders with the other selectedapplied fraud models 708-712. A suspicious or outright fraudulenttransaction detected by a first selected applied fraud channel model708-712 for a particular customer in one channel is cause for a riskadjustment for that same customer in all the other applied fraud modelsfor the other channels. Exceptions 718-722 to an instant transaction onbus 706 trigger an automated examination of the customer oraccountholder involved in a profiling process 724, especially withrespect to the 15-minute vectors and activity in the other channels forthe instant accountholder. A client tuning input 726 will affect anultimate accountholder fraud scoring output 728, e.g., by changing therespective risk thresholds for genuine-suspicious-fraudulentdeterminations.

A corresponding set of warning triggers 730-734 is fed back to all theapplied fraud channel models 708-712. A compromised accountholder resultindicated by accountholder fraud scoring 728 can be expected to be ahighly accurate and early protection warning.

In general, a process for cross-channel financial fraud protectioncomprises training a variety of real-time, risk-scoring fraud modelswith training data selected for each from a common transaction historyto specialize each member in the monitoring of a selected channel. Thenarranging the variety of real-time, risk-scoring fraud models after thetraining into a parallel arrangement so that all receive a mixed channelflow of real-time transaction data or authorization requests. Theparallel arrangement of diversely-trained real-time, risk-scoring fraudmodels is hosted on a network server platform for real-time risk scoringof the mixed channel flow of real time transaction data or authorizationrequests. Risk thresholds are immediately updated for particularaccountholders in every member of the parallel arrangement ofdiversely-trained real-time, risk-scoring fraud models when any one ofthem detects a suspicious or outright fraudulent transaction data orauthorization request for the accountholder. So, a compromise, takeover,or suspicious activity of the accountholder's account in any one channelis thereafter prevented from being employed to perpetrate a fraud in anyof the other channels.

Such process for cross-channel financial fraud protection can furthercomprise steps for building a population of real-time and a long-termand a recursive profile for each accountholder in each of the real-time,risk-scoring fraud models. During real-time use, the real-time,long-term, and recursive profiles for each accountholder in each and allof the real-time, risk-scoring fraud models are maintained and updatedwith newly arriving data. If, during real-time use, a compromise,takeover, or suspicious activity of the accountholder's account in anyone channel is detected, then the real-time, long-term, and recursiveprofiles for each accountholder in each and all of the other real-time,risk-scoring fraud models are updated to further include an elevatedrisk flag. The elevated risk flags are included in accountholder fraudscoring 728 for the current transaction or authorization request.

The 15-minute vectors described in FIG. 6 are a way to cross pollenaterisks calculated in one channel with the others. The 15-minute vectorscan represent an amalgamation of transactions in all channels, orchannel-by channel. Once a 15-minute vector has aged, it can be shiftedinto a 30-minute vector, a one-hour vector, and a whole day vector by asimple shift register means. These vectors represent velocity countsthat can be very effective in catching fraud as it is occurring in realtime.

In every case, embodiments of the present invention include adaptivelearning that combines three learning techniques to evolve theartificial intelligence classifiers, e.g., 408-414. First is theautomatic creation of profiles, or smart-agents, from historical data,e.g., long-term profiling. See FIG. 3 . The second is real-timelearning, e.g., enrichment of the smart-agents based on real-timeactivities. See FIG. 4 . The third is adaptive learning carried byincremental learning algorithms. See FIG. 7 .

For example, two years of historical credit card transactions dataneeded over twenty seven terabytes of database storage. A smart-agent iscreated for each individual card in that data in a first learning step,e.g., long-term profiling. Each profile is created from the card'sactivities and transactions that took place over the two year period.Each profile for each smart-agent comprises knowledge extractedfield-by-field, such as merchant category code (MCC), time, amount foran mcc over a period of time, recursive profiling, zip codes, type ofmerchant, monthly aggregation, activity during the week, weekend,holidays, Card not present (CNP) versus card present (CP), domesticversus cross-border, etc. this profile will highlight all the normalactivities of the smart-agent (specific card).

Smart-agent technology has been observed to outperform conventionalartificial and machine learning technologies. For example, data miningtechnology creates a decision tree from historical data. When historicaldata is applied to data mining algorithms, the result is a decisiontree. Decision tree logic can be used to detect fraud in credit cardtransactions. But, there are limits to data mining technology. The firstis data mining can only learn from historical data and it generatesdecision tree logic that applies to all the cardholders as a group. Thesame logic is applied to all cardholders even though each merchant mayhave a unique activity pattern and each cardholder may have a uniquespending pattern.

A second limitation is decision trees become immediately outdated. Fraudschemes continue to evolve, but the decision tree was fixed withexamples that do not contain new fraud schemes. So stagnant non-adaptingdecision trees will fail to detect new types of fraud, and do not havethe ability to respond to the highly volatile nature of fraud.

Another technology widely used is “business rules” which requires actualbusiness experts to write the rules, e.g., if-then-else logic. The mostimportant limitations here are that the business rules require writingrules that are supposed to work for whole categories of customers. Thisrequires the population to be sliced into many categories (students,seniors, zip codes, etc.) and asks the experts to provide rules thatapply to all the cardholders of a category.

How could the US population be sliced? Even worse, why would all thecardholders in a category all have the same behavior? It is plain thatbusiness rules logic has built-in limits, and poor detection rates withhigh false positives. What should also be obvious is the rules areoutdated as soon as they are written because conventionally they don'tadapt at all to new fraud schemes or data shifts.

Neural network technology also has limits; it uses historical data tocreate a matrix weights for future data classification. The Neuralnetwork will use as input (first layer) the historical transactions andthe classification (for fraud or not as an output). Neural Networks onlylearn from past transactions and cannot detect any new fraud schemes(that arise daily) if the neural network is not re-trained with thistype of fraud. Same as with data mining and business rules, theclassification logic learned from the historical data will be applied toall the cardholders even though each merchant has a unique activitypattern and each cardholder has a unique spending pattern.

Another limit is the classification logic learned from historical datais outdated the same day of its use because the fraud schemes change butthe neural network does not learn with examples that contain such newtype(s) of fraud schemes, and will fail to detect such new type(s) offraud because it lacks the ability to adapt to new fraud schemes anddoes not have the ability to respond to the highly volatile nature offraud.

Contrary to previous technologies, smart-agent technology learns thespecific behaviors of each cardholder and creates a smart-agent thatfollows the behavior of each cardholder. Because it learns from eachactivity of a cardholder, the smart-agent updates the profiles and makeseffective changes at runtime. It is the only technology with an abilityto identify and stop, in real-time, previously unknown fraud schemes. Ithas the highest detection rate and lowest false positives because itseparately follows and learns the behaviors of each cardholder.

Smart-agents have a further advantage in data size reduction. Once, say,twenty-seven terabytes of historical data is transformed intosmart-agents, only 200-gigabytes is needed to represent twenty-sevenmillion distinct smart-agents corresponding to all the distinctcardholders.

Incremental learning technologies are embedded in the machine algorithmsand smart-agent technology to continually re-train from any falsepositives and negatives that occur along the way. Each corrects itselfto avoid repeating the same classification errors. Data mining logicincrementally changes the decision trees by creating a new link orupdating the existing links and weights. Neural networks update theweight matrix, and case-based reasoning logic updates generic cases orcreates new ones. Smart-agents update their profiles by adjusting thenormal/abnormal thresholds, or by creating exceptions.

In real-time behavioral profiling by the smart-agents, both thereal-time and long-term engines require high speed transfers and lots ofprocessor attention. Conventional database systems cannot provide thetransfer speeds necessary, and the processing burdens cannot betolerated.

Embodiments of the present invention include a fast, low overhead,custom file format and storage engine designed to retrieve profiles inreal-time with a constant low load and save time. For example, theprofiles 336 built in FIG. 3 , and long-term, recursive, and real-timeprofiles 414 in FIG. 4 .

Referring now to FIG. 8 , a group of smart agent profiles is stored in acustom binary file 800 which starts with a meta-data section 802containing a profile definition, and a number of fixed size profileblocks, e.g., 804, 805, . . . 806 each containing the respectiveprofiles. Such profiles are individually reserved to and used by acorresponding smart agent, e.g., profile 536 and smart agent 530 in FIG.5 . Fast file access to the profiles is needed on the arrival of everytransaction 502. In FIG. 5 , account number 504 signals the particularsmart agents and profiles to access and that are required to provide asmart agent risk assessment 552 in real-time. For example, an approvalor a denial in response to an authorization request message.

FIG. 9 represents what's inside each such profile, e.g., a profile 900includes a meta-data block 902 and a rolling list of vectors 904. Themeta-data block 902 comprises the oldest one's time field 906, and arecord length field 908. Transaction events are timestamped, recorded,and indexed by a specified atomic interval, e.g., ten minute intervalsare typical, which is six hundred seconds. Each vector points to a runof profile datapoints that all share the same time interval, e.g.,intervals 910-912. Some intervals will have no events, and therefore novectors 904. Here, all the time intervals less than ninety days old areconsidered by the real-time (RT) profiles. Ones older than that areamalgamated into the respective long-term (LT) profiles.

What was purchased and how long ago a transaction for a particularaccountholder occurred, and when their other recent transactionsoccurred, can provide valuable insights into whether the transactionsthe accountholder is presently engaging in are normal and in character,or deviating. Forcing a fraud management and protection system to hunt aconventional database for every transaction a particular randomaccountholder engaged in is not practical. The accountholders'transactions must be pre-organized into their respective profiles sothey are always randomly available for instant calculations. How that ismade possible in embodiments of the present invention is illustratedhere in FIGS. 5, 6, and 8-10 .

FIG. 10 illustrates a virtual memory system 1000 in which a virtualaddress representation 1002 is translated into a physical memory address1004, and/or a disk block address 1006.

Profiling herein looks at events that occurred over a specific span oftime. Any vectors that were assigned to events older than that areretired and made available for re-assignment to new events as they areadded to the beginning of the list.

The following pseudo-code examples represent how smart agents (e.g.,412, 550) lookup profiles and make behavior deviation computations. Afirst step when a new transaction (e.g., 502) arrives is to find the oneprofile it should be directed to in the memory or filing system.

find_profile( T: transaction, PT : Profile's Type ) Begin  Extract thevalue from T for each key used in the routing logic for PT  Combine thevalues from each key into PK  Search for PK in the in-memory index  Iffound, load the profile in the file of type PT based on the indexed position.  Else, this is a new element without a profile of type PTyet. End

If the profile is not a new one, then it can be updated, otherwise a newone has to be created.

update_profile( T: transaction, PT :Profile's Type ) Begin  find_profileof type PT P associated to T  Deduce the timestamp t associated to T  IfP is empty, then add a new record based on the atomic interval for t Else locate the record to update based on t   If there is no recordassociated to t yet,   Then add a new record based on the atomicinterval for t   For each datapoint in the profile, update the recordwith the values   in T (by increasing a count, sum, deducing a newminimum,   maximum ...).  Save the update to disk End compute_profile(T: transaction, PT : Profile's Type ) Begin  update_profile P of type PTwith T  Deduce the timestamp t associated to T  For each datapoint DP inthe profile,   Initialize the counter C   For each record R in theprofile P    If the timestamp t associated to R belongs to the span oftime for    DR    Then update C with the value of DB in the record R (byincreasing     a count, sum, deducing a new minimum, maximum ...)   EndFor  End For  Return the values for each counter C End compute_profile(T: transaction, PT : Profile's Type ) Begin  update_profile P of type PTwith T  Deduce the timestamp t associated to T  For each datapoint DP inthe profile,   Initialize the counter C   For each record R in theprofile P    If the timestamp t associated to R belongs to the span oftime for    DR    Then update C with the value of DB in the record R (byincreasing     a count, sum, deducing a new minimum, maximum ...)    EndFor   End For   Return the values for each counter C End

The entity's behavior in the instant transaction is then analyzed todetermine if the real-time (RT) behavior is out of the norm defined inthe corresponding long-term (LT) profile. If a threshold (T) isexceeded, the transaction risk score is incremented.

analyze_entity_behavior( T: transaction ) Begin  Get the real-timeprofile RT by calling compute_profile( T, real-time )  Get the long-termprofile LT by calling compute_profile( T, long-term )  Analyze thebehavior of the entity by comparing its current behavior RT  to its pastbehavior LT:  For each datapoint DP in the profile,   Compare thecurrent value in RT to the one in LT (by computing the   ratio ordistance between the values).    If the ratio or distance is greaterthan the pre-defined threshold,    Then increase the risk associated tothe transaction T    Else decrease the risk associated to thetransaction T  End For  Return the global risk associated to thetransaction T End

The entity's behavior in the instant transaction can further be analyzedto determine if its real-time (RT) behavior is out of the norm comparedto its peer groups. If a threshold (T) is exceeded, the transaction riskscore is incremented.

Recursive profiling compares the transaction (T) to the entity's peersone at a time.

compare_entity_to_peers( T: transaction ) Begin  Get the real-timeprofile RTe by calling compute_profile ( T,  real-time )  Get thelong-term profile LTe by calling compute_profile ( T,  long-term ) Analyze the behavior of the entity by comparing it to its peer groups: For each peer group associated to the entity   Get the real-timeprofile RTp of the peer: compute_profile ( T,   real-time )   Get thelong-term profile LTp of the peer: compute_profile( T,   long-term )  For each datapoint DP in the profile,   Compare the current value inRTe and LTe to the ones in RTp and   LTp (by computing the ratio ordistance between the values).    If the ratio or distance is greaterthan the pre-defined threshold,    Then increase the risk associated tothe transaction T    Else decrease the risk associated to thetransaction T   End For  End For  Return the global risk associated tothe transaction T End

Each attribute inspection will either increase or decrease theassociated overall transaction risk. For example, a transaction with azipcode that is highly represented in the long term profile would reducerisk. A transaction amount in line with prior experiences would also bea reason to reduce risk. But an MCC datapoint that has never been seenbefore for this entity represents a high risk. (Unless it could beforecast or otherwise predicted.)

One or more datapoints in a transaction can be expanded with a velocitycount of how-many or how-much of the corresponding attributes haveoccurred over at least one different span of time intervals. Thevelocity counts are included in a calculation of the transaction risk.

Transaction risk is calculated datapoint-by-datapoint and includesvelocity count expansions. The datapoint values that exceed a normativepoint by a threshold value increment the transaction risk. Datapointvalues that do not exceed the threshold value cause the transaction riskto be decremented. A positive or negative bias value can be added thateffectively shifts the threshold values to sensitize or desensitize aparticular datapoint for subsequent transactions related to the sameentity. For example, when an airline expense is certain to be followedby a rental car or hotel expense in a far away city. The MCC's forrental car and hotel expenses are desensitized, as are datapoints formerchant locations in a corresponding far away city.

FIG. 11 illustrates an example of a profile 1100 that spans a number oftime intervals t₀ to t₈. Transactions, and therefore profiles normallyhave dozens of datapoints that either come directly from eachtransaction or that are computed from transactions for a single entityover a series of time intervals. A typical datapoint 1110 velocitycounts the number of events that have occurred in the last thirtyminutes (count 1112), the last six hours (count 1114), and the lasttwenty-four hours (count 1116). In this example, t_(o) had one event, t₄had 3 events, t₂ had 2 events, t₃ had 3 events, t₄ had 2 events, t₅ had5 events, t₆ had 3 events, t₇ had one event, and t₈ had 2 events;therefore, t₂ count 1112=6, t₅ count 1114=16, and t₇ count 1116=20.These three counts, 1112-1116 provide their velocity count computationsin a simple and quick-to-fetch summation.

FIG. 12 illustrates a behavioral forecasting aspect of the presentinvention. A forecast model 1200 engages in a real-time analysis 1202,consults a learned past behavior 1204, and then makes a behavioralprediction 1206. For example, the real-time analysis 1202 includes aflight purchase for $1410.65, an auto pay for cable for $149.50, and ahotel for $2318.80 in a most recent event. It makes sense that thebooking and payment for a flight would be concomitant with a hotelexpense, as both represent travel. Consulting the learned past behavior1204 reveals that transactions for flights and hotels have also beenaccompanied by a car rental. Forecasting a car rental in the near futureis and easy and reasonable assumption to make in behavioral prediction1206.

Normally, an out-of-character expense for a car rental would carry acertain base level of risk. But if it can be forecast that one iscoming, and it arrives, then the risk can be reduced since it has beenforecast and is expected. Embodiments of the present invention thereforetemporarily reduce risk assessments in the future transactions wheneverparticular classes and categories of expenses can be predicted orforecast.

In another example, a transaction to pay tuition at a local collegecould be expected to result in related expenses. Forecasts for bookstorepurchases and ATM cash withdrawals at the college are reasonable. Thebottom-line is that fewer false positives will result.

Although particular embodiments of the present invention have beendescribed and illustrated, such is not intended to limit the invention.Modifications and changes will no doubt become apparent to those skilledin the art, and it is intended that the invention only be limited by thescope of the appended claims.

1. A computer-implemented method for real-time transaction fraudvetting, comprising: receiving, at one or more processors, a transactionrecord that includes real-time transaction data relating to atransaction of an accountholder; matching, via the one or moreprocessors, the transaction record to an applied fraud model thatincludes— a plurality of long-term profiles of the accountholder thatcorrespond respectively to a plurality of attributes of transactionbehavior of the accountholder, each of the plurality of long-termprofiles defining one or more normal values for each of the plurality ofattributes computed from historical transaction records of theaccountholder, and an artificial intelligence classifier that isconstructed according to at least one of: a neural network, case-basedreasoning, a decision tree, a genetic algorithm, fuzzy logic, and rulesand constraints, the artificial intelligence classifier being trained toflag fraudulent activity based on historical transaction data of aplurality of accountholders; incrementing, via the one or moreprocessors, a transaction risk for each instance in which thetransaction record reflects a real-time deviation from the one or morenormal values of one of the plurality of long-term profiles that exceedsa corresponding threshold; inputting, via the one or more processors,the real-time transaction data to the artificial intelligence classifierto generate an exception, the real-time transaction data being input tothe artificial intelligence classifier in real-time and in parallel withthe incrementing of the transaction risk; outputting, via the one ormore processors, a fraud likelihood determination from the applied fraudmodel in real-time based at least in part on the incremented transactionrisk and the exception; and updating, via the one or more processors,the plurality of long-term profiles based on the transaction record togenerate an updated plurality of long-term profiles for theaccountholder.
 2. The computer-implemented method of claim 1, furthercomprising decrementing, via the one or more processors, the transactionrisk corresponding to the transaction record for each instance in whichreal-time deviation of the transaction record from the one or morenormal values of one of the plurality of long-term profiles does notexceed the corresponding threshold.
 3. The computer-implemented methodof claim 2, wherein incrementing the transaction risk based on one ofthe plurality of long-term profiles includes updating a correspondingreal-time profile based on the transaction record and comparing thereal-time profile against the long-term profile to determine thedeviation.
 4. The computer-implemented method of claim 1, furthercomprising— receiving, at the one or more processors, a secondtransaction record including second real-time transaction data relatingto a second transaction of the accountholder; matching, via the one ormore processors, the second transaction record to an updated appliedfraud model of the accountholder that includes the updated plurality oflong-term profiles and the artificial intelligence classifier;incrementing, via the one or more processors, a second transaction riskfor each instance in which the second transaction record reflects areal-time deviation from the one or more normal values of one of theupdated plurality of long-term profiles that exceeds the correspondingthreshold; inputting, via the one or more processors, the secondreal-time transaction data to the artificial intelligence classifier togenerate a second exception, the second real-time transaction data beinginput to the artificial intelligence classifier in real-time and inparallel with the incrementing of the second transaction risk;outputting, via the one or more processors, a second fraud likelihooddetermination from the updated applied fraud model in real-time based atleast in part on the second incremented transaction risk and the secondexception; and updating, via the one or more processors, the updatedplurality of long-term profiles based on the second transaction recordto generate a twice updated plurality of long-term profiles for theaccountholder.
 5. The computer-implemented method of claim 1, furthercomprising feeding, via a bus configured to receive transaction recordsand feed corresponding transaction data to fraud models in real-time andin parallel, the real-time transaction data to the applied fraud modeland second real-time transaction data to a second applied fraud model,wherein— the applied fraud model is a first applied fraud model thatcorresponds to a first transactional channel and the artificialintelligence classifier is a first artificial intelligence classifiertrained to flag fraudulent activity based on historical transaction datawithin the first transactional channel, the transaction record is afirst transaction record relating to a first transaction occurring inthe first transactional channel, the second real-time transaction datais generated from a second transaction record relating to a secondtransaction occurring in a second transactional channel, the secondapplied fraud model corresponds to the second transactional channel andincludes a second artificial intelligence classifier trained to flagfraudulent activity based on historical transaction data within thesecond transactional channel.
 6. The computer-implemented method ofclaim 5, further comprising adjusting, via the one or more processors, asecond threshold of the second applied fraud model based on theincremented transaction risk from the first applied fraud model.
 7. Thecomputer-implemented method of claim 5, further comprising—incrementing, via the one or more processors, the incrementedtransaction risk in real-time at least in part by implementing avelocity vector pointing to a rolling list of a long-term profile of thesecond applied fraud model to determine whether the second transactionrecord causes the rolling list to exceed a second threshold.
 8. Thecomputer-implemented method of claim 1, wherein— the exception of theartificial intelligence classifier includes an independently computedsupplemental fraud score, the transaction risk comprises a risk fraudscore, the fraud likelihood determination is made at least in part bycomputing, via the one or more processors, a final fraud score using aweighted summation of the supplemental fraud score and the risk fraudscore.
 9. The computer-implemented method of claim 8, wherein computingthe final fraud score includes retrieving one or more user-tunedweighting adjustments and incorporating the weighting adjustments intothe weighted summation.
 10. A monitoring payment network server forreal-time transaction fraud vetting, comprising: one or more processors;a bus configured to feed at least parts of transaction records inparallel line-by-line to one or more applied fraud channel models; and anon-transitory computer-readable storage media havingcomputer-executable instructions stored thereon, wherein when executedby the one or more processors the computer-readable instructions causethe one or more processors to— receive a transaction record thatincludes real-time transaction data relating to a transaction of anaccountholder; match the transaction record to an applied fraud modelthat includes— a plurality of long-term profiles of the accountholderthat correspond respectively to a plurality of attributes of transactionbehavior of the accountholder, each of the plurality of long-termprofiles defining one or more normal values for each of the plurality ofattributes computed from historical transaction records of theaccountholder, and an artificial intelligence classifier that isconstructed according to at least one of: a neural network, case-basedreasoning, a decision tree, a genetic algorithm, fuzzy logic, and rulesand constraints, the artificial intelligence classifier being trained toflag fraudulent activity based on historical transaction data of aplurality of accountholders; increment a transaction risk for eachinstance in which the transaction record reflects a real-time deviationfrom the one or more normal values of one of the plurality of long-termprofiles that exceeds a corresponding threshold; input the real-timetransaction data to the artificial intelligence classifier to generatean exception, the real-time transaction data being input to theartificial intelligence classifier in real-time and in parallel with theincrementing of the transaction risk; output a fraud likelihooddetermination from the applied fraud model in real-time based at leastin part on the incremented transaction risk and the exception; andupdate the plurality of long-term profiles based on the transactionrecord to generate an updated plurality of long-term profiles for theaccountholder.
 11. The monitoring payment network server of claim 10,wherein the computer-executable instructions further cause the at leastone processor to decrement the transaction risk corresponding to thetransaction record for each instance in which real-time deviation of thetransaction record from the one or more normal values of one of theplurality of long-term profiles does not exceed the correspondingthreshold.
 12. The monitoring payment network server of claim 11,wherein incrementing the transaction risk based on one of the pluralityof long-term profiles includes updating a corresponding real-timeprofile based on the transaction record and comparing the real-timeprofile against the long-term profile to determine the deviation. 13.The monitoring payment network server of claim 10, wherein thecomputer-executable instructions further cause the at least oneprocessor to— receive a second transaction record including secondreal-time transaction data relating to a second transaction of theaccountholder; match the second transaction record to an updated appliedfraud model of the accountholder that includes the updated plurality oflong-term profiles and the artificial intelligence classifier; incrementa second transaction risk for each instance in which the secondtransaction record reflects a real-time deviation from the one or morenormal values of one of the updated plurality of long-term profiles thatexceeds the corresponding threshold; input the second real-timetransaction data to the artificial intelligence classifier to generate asecond exception, the second real-time transaction data being input tothe artificial intelligence classifier in real-time and in parallel withthe incrementing of the second transaction risk; output a second fraudlikelihood determination from the updated applied fraud model inreal-time based at least in part on the second incremented transactionrisk and the second exception; update the updated plurality of long-termprofiles based on the second transaction record to generate a twiceupdated plurality of long-term profiles for the accountholder.
 14. Themonitoring payment network server of claim 10, wherein thecomputer-executable instructions further cause the at least oneprocessor to— feed, via the bus, the real-time transaction data to theapplied fraud model and second real-time transaction data to a secondapplied fraud model, wherein— the applied fraud model is a first appliedfraud model that corresponds to a first transactional channel and theartificial intelligence classifier is a first artificial intelligenceclassifier trained to flag fraudulent activity based on historicaltransaction data within the first transactional channel, the transactionrecord is a first transaction record relating to a first transactionoccurring in the first transactional channel, the second real-timetransaction data is generated from a second transaction record relatingto a second transaction occurring in a second transactional channel, thesecond applied fraud model corresponds to the second transactionalchannel and includes a second artificial intelligence classifier trainedto flag fraudulent activity based on historical transaction data withinthe second transactional channel.
 15. The monitoring payment networkserver of claim 14, wherein the computer-executable instructions furthercause the at least one processor to adjust a second threshold of thesecond applied fraud model based on the incremented transaction riskfrom the first applied fraud model.
 16. The monitoring payment networkserver of claim 14, wherein the computer-executable instructions furthercause the at least one processor to increment the incrementedtransaction risk in real-time at least in part by implementing avelocity vector pointing to a rolling list of a long-term profile of thesecond applied fraud model to determine whether the second transactionrecord causes the rolling list to exceed a second threshold.
 17. Themonitoring payment network server of claim 10, wherein— the exception ofthe artificial intelligence classifier includes an independentlycomputed supplemental fraud score, the transaction risk comprises a riskfraud score, the fraud likelihood determination is made at least in partby computing a final fraud score using a weighted summation of thesupplemental fraud score and the risk fraud score.
 18. The monitoringpayment network server of claim 17, wherein computing the final fraudscore includes retrieving one or more user-tuned weighting adjustmentsand incorporating the weighting adjustments into the weighted summation.19. Non-transitory computer-readable storage media havingcomputer-executable instructions for real-time transaction fraudvetting, wherein when executed by at least one processor thecomputer-readable instructions cause the at least one processor to:receive a transaction record that includes real-time transaction datarelating to a transaction of an accountholder; match the transactionrecord to an applied fraud model that includes— a plurality of long-termprofiles of the accountholder that correspond respectively to aplurality of attributes of transaction behavior of the accountholder,each of the plurality of long-term profiles defining one or more normalvalues for each of the plurality of attributes computed from historicaltransaction records of the accountholder, and an artificial intelligenceclassifier that is constructed according to at least one of: a neuralnetwork, case-based reasoning, a decision tree, a genetic algorithm,fuzzy logic, and rules and constraints, the artificial intelligenceclassifier being trained to flag fraudulent activity based on historicaltransaction data of a plurality of accountholders; increment atransaction risk for each instance in which the transaction recordreflects a real-time deviation from the one or more normal values of oneof the plurality of long-term profiles that exceeds a correspondingthreshold; input the real-time transaction data to the artificialintelligence classifier to generate an exception, the real-timetransaction data being input to the artificial intelligence classifierin real-time and in parallel with the incrementing of the transactionrisk; output a fraud likelihood determination from the applied fraudmodel in real-time based at least in part on the incremented transactionrisk and the exception; and update the plurality of long-term profilesbased on the transaction record to generate an updated plurality oflong-term profiles for the accountholder.
 20. The computer-readablestorage media of claim 19, wherein, when executed by the at least oneprocessor, the computer-readable instructions further cause the at leastone processor to decrement the transaction risk corresponding to thetransaction record for each instance in which real-time deviation of thetransaction record from the one or more normal values of one of theplurality of long-term profiles does not exceed the correspondingthreshold.